1. Field of the Invention
This application relates to the field of digital certificates and more particularly to the field of management of digital certificates.
2. Description of Related Art
In essence, a digital certificate C consists of a CA's digital signature securely binding together several quantities: SN, a serial number unique to the certificate, PK, the public key of the user, U, the user's identifier, D1, the issue date, D2, the expiration date, and additional fields. In symbols, C=SIGCA(SN, PK, U, D1, D2, . . . ).
It is widely recognized that digital certificates provide the best form of Internet authentication. On the other hand, they are also difficult to manage. Certificates may expire after one year (i.e., D2−D2=1 year). However, they may be revoked prior to their expiration; for instance, because their holders leave their companies or assume different duties within them. Thus, each transaction enabled by a given digital certificate needs a suitable proof of the current validity of that certificate, and that proof often needs to be archived as protection against future claims.
Unfortunately, the technologies used today for proving the validity of issued certificates do not scale well. At tomorrow's volume of digital certificates, today's validity proofs will be either too hard to obtain in a secure way, or too long and thus too costly to transmit (especially in a wireless setting). Certificate validation is universally recognized as a crucial problem. Unless efficiently solved, it will severely limit the growth and the usefulness of our PKIs.
Today, there are two main approaches to proving certificates' validity: Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP).